In recent weeks there has been considerable media coverage regarding Cyber Attacks and IT Outages relating to NSW Government Agencies

What is the extent of these attacks?

According to a 19 June 2020 article in the SMH, China-originated cyber attacks have targeted critical infrastructure including hospitals, local Councils and state-owned corporations and Transport for NSW has experienced a malicious hack causing a massive system outage.

NSW and Australian Government response

The NSW Government is developing a sector-wide cyber security strategy to replace its existing scheme and the NSW Cyber Industry Development Strategy and will allocate $240 million to cyber security.

The Minister for Customer Service, Victor Dominello said that the 2020 NSW Cyber Security Strategy will ensure the NSW Government continues to provide secure, trusted and resilient services and address the cyber workforce and skills gaps in the post-COVID-19 climate. 

The PM, Scott Morrison has pledged invest $1.35 billion to counter the wave of hacking attempts against the country.

What are NSW Government Agencies required to do?

All NSW Government agencies and cluster Departments are required to attest to the Cyber Security Policy (CSP) by 31 August. This attestation is in relation to the agency’s Information Security Management System (ISMS).

How can we help?

Centium can:

• Review and update your ISMS, based on risk and risk appetite, so that your ISMS is bespoke and fit for purpose yet in line with the CSP
• Identify the gaps which may prevent you from providing a positive CSP attestation by 31 August
• Guide you on how to fix the gaps in the CSP’s 25 mandatory requirements • Enable you to positively attest to the CSP by the deadline
• Prepare your Essential Eight maturity assessment 
• Supplement internal audit capabilities in this area
• Conduct a technical assessment of your cybersecurity defences
• Conduct your ISMS independent internal audits per CSP requirements
• Develop and/or test your Cyber Security Incident Response Plan
• Develop and/or test your Business Continuity and ICT Recovery Plans
• Assist with cybersecurity education

Centium has extensive experience in assisting agencies to ensure compliance with this requirement, as set out here.

Council’s Challenge

The Covid-19 pandemic has brought unprecedented operational difficulties for all sectors including local government.  Among them are the dual problems of assisting Council staff to ‘do the right thing’ while working and managing others remotely and of delivering effective training to ensure those staff understand their obligations.

Our Solution

Centium has developed two eLearning Modules based on the Model Code of Conduct for Local Councils in NSW.  These self-paced online training modules educate and reinforce expected conduct and behaviour messages to staff in an accessible and enjoyable way.

The training contains real life scenarios where sometimes it can be hard to know what the right thing is to do.  Our training makes it clear what ethical and honest conduct is. 

The two modules in our eLearning Solution are: 

• Foundation Module | detailing minimum standards and behaviour expected from new staff
• Refresher Module | reminding existing staff of their conduct obligations

Next Steps

For further information or to discuss your training needs,  please contact Sarah Artist, Manager Strategy and Engagement. 

Highly regarded probity expert, Howard Elliott has recently joined Centium

Our clients will benefit from Howard’s extensive expertise, notably gained from 30 years’ experience delivering probity, procurement, information technology and telco consulting services to a wide variety of commercial and government clients.

Howard is heading up a highly skilled team of specialist consultants and subject matter experts who collectively form our new specialised service offering - Centium Probity.

In addition to the more ‘traditional’ Probity & Procurement advisory and audit services, Centium Probity will be providing our clients with a holistic, end-to-end probity and procurement service offering: 

• Competency enhancement programs to assist organisations increase their probity competency and awareness, including regular reviews, health checks and accreditation certification.
• Complete transaction outsourcing, from Requirements & specifications, to RFI/RFT and contract negotiations.

More details about Centium Probity can be found here.

 Howard is looking forward to the opportunity to provide you with high quality services and would greatly appreciate the opportunity for Centium Probity to provide you with a fee proposal for your next transaction.  He may be contacted on howard.elliott@centium.com.au or 0411 508 810

This upcoming (7 May 2020) webinar features two leading Business Resilience and Ethical Conduct specialists discussing the risks and key issues emerging from the evolving COVID-19 pandemic.

Australia is facing a stark reality where disasters are becoming almost something of the norm and so organisations need to be innovative and adapt to the daily challenges and emerging risks they are being faced with.  Each one of us is both personally and professionally affected by the current COVID-19 outbreak.

In this webinar you will hear from a disaster and emergency management expert, David Parsons and leading ethic conduct specialist, Chris Wheeler on the risks and key issues emerging from the evolving COVID-19 pandemic, in addition to being provided with helpful and practical techniques on how to manage these risks.

The webinar will:

• outline approaches on how you can best use business continuity and resilience in your organisations to take you through these unprecedented times
• identify risk, conduct, performance and supervision issues that will arise as a result of what is likely to be a seismic shift in the way many employees conduct their day to day work, as well as the implications of this change for complaint handling, whistleblowing and investigations

We will hold a short panel discussion with the experts after their presentations to get some additional valuable insight.

SPEAKERS

David Parsons, BEd, BSocSc, MEM

DISASTER AND EMERGENCY EXPERT David has extensive experience implementing emergency management programs in the public and private sector. David has developed emergency management plans, conducted exercises and implemented training for critical infrastructure
owners and operators. David is currently implementing emergency management leadership reform programs in Australia and New Zealand.

Chris Wheeler, LLB, BTRB, MTCP

SPECIALIST ADVISER, ETHICAL CONDUCT, CENTIUM Chris is a solicitor, accredited mediator and town planner who has worked for State and local government agencies in Victoria and NSW. He was Deputy NSW Ombudsman for 25 years. In his consulting work since July 2019, Chris has focussed on whistleblower management and advice, complaint management, advice and investigations (including the management of unreasonable conduct by some complainants), training on the handling of complaints and public interest disclosures, and on administrative law for non-lawyers exercising discretionary powers.

Undeniably, COVID-19 has presented unprecedented circumstances for the global community, as well as for Australian business. 

Click here to view a summary of the Government stimulus packages announced by the Federal and NSW State Governments over the past two weeks.  This information will ensure that SMEs maximise Government and other assistance available so that businesses may survive during and well beyond the extraordinary conditions we are all faced with right now.

The Government has put these initiatives in place to:

• Support the Australian economy throughout this crisis.
• Keep as many businesses operating as possible and to keep people working.
• Help the Australian economy to recover once the crisis is over.  

The summary is broken down into 3 main areas:

1. The key points of the various stimulus packages, focusing on those aspects that are of most relevance to SMEs.
2. How to access the package support benefits, and the accounting and tax implications.
3. Advice on what SMEs can do now to keep business operating, as well as some actions that can be taken to future proof businesses for the new operating models that will inevitably emerge after this crisis has passed.

The NSW Audit Office 2019 audit report on the NSW local government sector contains unqualified audit opinions on the 2018–19 financial statements of 134 councils and 11 joint organisations.

The opinion for one council was disclaimed and three audits are yet to be completed.

What did the audit examine?

In addition to forming an opinion on councils’ financial statements, the audits examined the following risk areas:

• Credit card management
• Fraud controls
• Gifts and benefits
• Cyber security
• Landfill rehabilitation

What did the audit find?

The report notes “pleasing indicators of the gradual strengthening of governance and financial oversight of the sector” but recommends improvements in the following areas:

• preparing for new accounting standards
• strengthening controls over information technology and cyber security management
• asset management practices

What can we learn?

Irrespective of whether you’re in local government, state government, the private or not-for-profit sector, see how your own organisation stacks up against the Audit Office’s recommendations:

Strengthen the quality and timeliness of financial reporting

• Allocate sufficient time and resources to the financial reporting process
• Have appropriate systems, processes and resources to implement the new accounting standards

Improve governance and internal controls

• Ensure audit recommendations are addressed in a timely manner. High risk issues need to be prioritised and repeat issues from prior years resolved
• Have an audit, risk and improvement committee
• Have an internal audit function to support a risk and compliance culture
• Have a legislative compliance framework to capture and monitor compliance with key laws and regulations
• Continue improving fraud control systems
• Have adequate processes and controls to ensure compliance with a gifts and benefits policy and Code of Conduct

Strengthen IT controls and cyber security management

• Ensure key IT policies are formalised and regularly reviewed to ensure emerging risks are considered and policies are reflective of changes to the IT environment
• Ensure IT risks are identified and appropriately managed
• Improve user access management processes to ensure that information systems are secure and that there are adequate controls for making changes to information systems
• Implement at least the basic governance and internal controls to manage risks associated with cyber security

Improve asset management practices

• Regularly update asset registers, reconcile asset registers with asset management systems and have suitable controls in place to ensure the integrity of manual spreadsheets
• Start the asset valuation process earlier and ensure there is a clear plan to ensure valuations are managed and documented appropriately
• Periodically reconcile asset registers to the Crown Land Information Database (CLID) and investigate any discrepancies in a timely manner
• Review the methodology and assumptions in how they account for landfill sites

A copy of the full report can be found here.

“The managing director of logistics giant Toll Group has warned other CEOs they must expect to suffer the horror of a major cyber attack.”¹

The Australian Financial Review, 10 March 2020

In February 2020, Toll was forced to shut down key systems – including online bookings – for three weeks after being attacked by a strain of the Mailto ransomware.²

The fallout was immediate and savage: frustrated customers vented on social media and the financial press devoted extensive coverage to the business impacts.

Also in February, security concerns shut down the Australian Defence Force’s outsourced recruitment records system for 10 days.³

On New Year’s Eve 2019, global currency exchange Travelex discovered it was infected by Sodinokibi ransomware, keeping vital services offline until well into January.

Hackers infiltrated the Australian National University’s IT systems in mid-2018, with another attack later that year, potentially compromising Australia's leading national security college and key defence research projects.^{4, 5}

Analysis of these incidents makes it clear: malicious attacks are growing increasingly sophisticated, they don’t discriminate by sector, and they cause significant disruption. This includes loss of productivity and customer service as well as reputational damage.

Organisations need to keep their prevention, protection and detection systems and capabilities up to date.

More crucially, these attacks have highlighted the importance of recovery planning. In the event of an attack, organisations need to keep operating and minimise business impacts.

What can you do?

Every organisation needs a robust and up-to-date Business Continuity Plan that includes contingency for significant business system failures.

Your Business Continuity Plan must be fit for purpose, include a comprehensive IT disaster recovery module, and be adequately tested to ensure it is effective.

For a confidential discussion, please contact our Managing Director Phil O'Toole.

1.'It will happen to you': Toll chief opens up on cyber attack, The Australian Financial Review, 10 March 2020

2.Toll close to restoring key service three weeks after cyber attack,The Australian Financial Review, 24 February 2020

3.Fears private details of Defence Force members compromised in database hack, abc.net.au, 4 March 2020

4.Chinese hackers breach ANU, putting national security at risk, Sydney Morning Herald, 6 July 2018

5.ANU data breach: How hackers got inside Australia's top university, The Canberra Times, 2 October 2019

The rapidly developing Coronavirus situation has significant implications for Australian businesses and government organisations.

The Coronavirus pandemic is unlike other potential disasters typically covered by your organisation’s Business Continuity or Emergency Management Plans.

Organisations must ensure that relevant risks are being anticipated and managed, employees protected, and business continuity preserved during prolonged uncertainty.

Are you confident that your Business Continuity and Emergency Management Plans are up to date and ready to cope with the potential impact on your operations?

Click here for more details about the challenges your business will face as the pandemic continues.

Contact Penny Corkill, Director Risk & Assurance for more information about how Centium can help.

In March 2020, the Australian Government announced a COVID-19 stimulus package, including $1.6 billion in tax relief to small business. Read a summary of the measures to support small business here.

The NSW State Government also released a stimulus package in March 2020 with measures to support small business. Find out more here.

The Australian Government’s University Foreign Interference Taskforce last week released Guidelines to support the Australian University Sector in managing the risks associated with ongoing and valuable international collaboration.

The stated objective of the Guidelines is to “provide additional guidance on which universities can draw to assess risk in their global engagements, and to safeguard their people and data.”

The Guidelines are designed to “uphold the foundational principle of university autonomy” and are thus constructed around a series of questions to guide decision-making and better practice principles, including:

Governance and Risk Frameworks

• Accountable authorities
• Foreign interference risk planning

Due Diligence

• Know your partner (e.g. guidance for staff; legislative compliance; pre / ongoing due diligence assessments; staff capacity)
• Robust agreements (e.g. explicit agreements; philanthropy and donations)
• Research and intellectual property (e.g. research contracts; end-use possibilities; dual-use and/or sensitive technologies and research; active IP partnerships)

Communication and Education

• Promoting communication and education programs, plans and staff awareness training

Knowledge Sharing

• Sharing information between universities and with the Commonwealth (e.g. lessons learning; knowledge sharing with relevant government agencies)

Cyber Security

• Cyber Security Strategy
• Intelligence sharing
• Staff awareness and positive security culture
• Cyber threat modelling

WHAT OUR CLIENTS NEED TO DO

The Guidelines suggested that universities review their existing protocols and protections against each of the above components. Some examples include:

• Processes that ensure staff are aware of foreign interference risks
• Levels of visibility that senior administrators and officials have re staff appointments
• The potential for staff research to be used for purposes that are inconsistent with promoting economic, social and security benefits for Australians
• Training requirements to promote awareness of foreign interference risks
• Collaboration and sharing of information across the higher education sector
• Cyber security strategies to ensure that resources and capabilities are in place to protect valuable information systems.

Universities (and other higher education institutions) should also give consideration to best practice suggestions, as well as several case studies contained within the Guidelines.

HOW WE CAN HELP

Centium has “up-to-the-minute” experience regarding foreign collaborative arrangements as we are currently partnering with a leading university to review its offshore learning programs. Review components include contract documentation, staff awareness and training, and overall risk assessment and management.

Centium also has vast, hands-on expertise in assisting a range of Australian universities, research organisations and higher education institutions to build cyber security capacity.

We would thus be pleased to work with our existing and new clients to share these learnings and/or discuss ways in which to assess maturity against some or all of the principles outlined in the Guidelines.

For more information regarding our university sector experience, please contact Penelope Corkill, Director Risk & Assurance.

The Government Sector Finance Act (the Act) introduces a greater focus on performance, transparency, accountability, and efficiency with respect to financial management in the government sector.

The Act was assented in October 2018, with staged commencement its provisions over five key phases. The principles outlined in the Act will be supplemented by regulations and Treasurer’s Directions.

Phase 2 commenced 1 July 2019. Provisions of the Act in Phase 2 include:

• Budget, Appropriations and Special Deposit Accounts (SDAs)
• Expenditure & Gifts (Act of Grace Payments, Payment of Tax Equivalents to the Treasurer, etc.)

WHAT OUR CLIENTS NEED TO DO

Take action to address the requirements of Phase 2, as follows:

• Review ‘own-source’ money and check the Regulation to ensure they are within the scope of deemed appropriations
• For any SDAs, ensure that a responsible manager has been appointed and appropriate records maintained (in preparation for Phase 5 that will require financial reporting of SDAs for Financial Year 2021-2022)
• Identity GSF Agencies, Accountable Authorities, Responsible Ministers and Government Officers within their Cluster, taking into consideration any Machinery of Government (MoG) changes
• Review existing delegations to ensure they reflect post-MoG changes and, where possible, leverage opportunity for flexibility and streamlining.

All GSF Agencies are also required to keep up to date regarding Treasurer’s Directions and Treasury Policies and Procedures (TPPs).

HOW WE CAN HELP

The Auditor-General identified incorrect application of Phase 1 requirements as the root cause for some errors identified within the State’s 2018-19 consolidated Financial Statements.

Centium can offer fiduciary reviews to assess whether policy frameworks and controls are operating in line with current GSF Act Provisions. Such reviews can also incorporate an assessment of agency policies and controls against future phases to assist our clients with their preparation.

Our team includes several accounting and financial specialists who can provide guidance and advice regarding the application of Australian Accounting Standards, the Acts and TPPs.

For more information regarding Phase 2 requirements, please do not hesitate to contact Penelope Corkill, Director Risk & Assurance.

OLG have released a circular advising councils and joint organisations of updates to Annual Report and Performance Statement checklists for implementation.

WHAT’S NEW OR CHANGING

• The annual report checklist for councils has been updated to include the reporting requirement for councillor professional development training.

• An annual performance statement checklist has been drafted for joint organisations.

The annual report and annual performance statement checklists are available on the NSW OLG website.

WHAT COUNCILS AND JOINT ORGANISATIONS NEED TO DO

Councils can use the annual report checklist and joint organisations can use the annual performance statement checklist to ensure that all the information required under the Local Government Act 1993 (the Act), the Local Government (General) Regulation 2005 and other relevant legislation and guidelines is in their annual report and annual performance statement.

While joint organisations are not required to produce an annual performance statement for the first year of operations, they may elect to and they will need to get prepared for future reporting.

HOW WE CAN HELP

Centium can help by providing training services to assist Councils fulfil their new professional development training requirement for councillors.

We can also offer to support joint organisations in the development, maturity assessment or review of their performance statements.

We invite you to reach out to our highly qualified Risk & Assurance Director Penelope Corkill. We would also invite you to check out information regarding our clients, recent success stories, and other service lines. And please – follow us on LinkedIn.